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Abstract 

The  paper  i)re.seiit.s  a  relatively  complete  <le(luctive  sy.stem  for  i>roviug  branching  time 
temixnal  proiJerties  of  reactive  j)rogram.s.  N<i  <le<luctive  system  for  verifying  branching 
time  temporal  jn-operties  has  been  pre.sente<l  before.  Onr  deductive  system  enjoys  the 
following  a<lvantages.  Fii'st,  given  a  well-fonned  specification  there  is  no  need  to  traiLslate  it 
into  a  nonnal-form  specification  since  the  system  can  handle  any  well-formed  specification. 
Second,  given  a  .sijecification  to  be  verified,  the  proof  nile  to  be  api)lie<l  is  easily  determined 
according  to  the  top  level  operator  of  the  specification.  Third,  the  system  rechices  ternixual 
verification  to  as.serti(»nal  reasoning  rather  tlnui  to  temi>oral  reasoning. 


1  Introduction 


T<^ui])<)rHl  logics  are  widely  a(rcej)ted  aiid  fmnieiitly  ased  for  sj)ecifyiiig  coiuauTeiit  and  reactive  j)ro- 
grmns.  In  recent  years,  many  fully  automatic  metluids  for  verifying  temporal  specifications  have  been 
preseut<!<l  su<  h  ris  model  checkers  [4].  However,  the  scoi>e  of  these  methods  is  still  very  limite<l;  the 
fully  automatic  methods  mainly  apply  to  finite  state  programs  and  to  special  ctuses  of  infinite  state 
[)rogTams.  Therefore,  the  main  tool  for  establishing  that  a  jirogram  satisfies  its  temporal  specifi<  ation 
is  still  that  of  deductive  verifi<  ation,  using  a  set  of  axioms  and  inference  rules. 

Deductive  verification  can  also  be  aided  by  the  computer.  A  deductive  verification  system  cmi 
easily  be  embedded  in  automated  theorem  provers,  like  Nuprl  [-5],  Hoi  [8],  Boyer- Moore  [3]  and  Co<i 
[6].  An  automated  theorem  prover  is  an  interactive  environment  for  proof  generation.  It  a.ssists  the 
development  of  proofs  by  exidoring  the  jxwsible  proof  steps,  checking  and  writing  interaiediate  resiilts 
and  as.sembling  the  .solution. 

W<!  pr<‘.sent  a  relatively  complete  deductive  .sy.st.em  for  verifying  fair  branching-time  temporal  logic 
specifications  (fair  CTL).  No  de<luctive  verification  system  has  been  presexited  before  for  fair  CTL.  All 
previous  deductive  systems  for  verifying  temporal  properties,  e.g.,  [16], [9], [17], [12], [15],  aie  concerned 
only  with  linerU'  temporal  logic  (LTL).  The  previotis  <le<luctive  sy.stems  also  suffer  from  the  following 
drawback.  They  offer  a  relatively  complete  <leduct.ive  .sy.stein  only  for  normal-fomi  fonnulas.  Thus, 
all  other  ])roperties  whose  expression  in  LTL  <loes  not  fall  into  the  restricted  nonnal-fonn  can  be 
verified  <»uly  by  translating  them  into  normal-fonn  formulas.  The  known  method  for  tnmslating  »ui 
arbitrmy  (future)  LTL  fitrmula  into  a  luumal-fonn  is  very  complex  in  both  the  time  complexity  of  the 
translation  and  the  si/e  of  the  restdting  fonnula.  First  a  tableau  method  is  used  to  translate  a  future 
foiTfiula  into  a  countei-free  w-automata  and  then  this  automaton  is  tian.slated  into  a  nonnal-fonn 
fimmda  [11],  [IS].  In  contrast,  o\ir  dedtictive  system  can  handle  an  arbitrary  nesting  of  temi>oriil 
operators  in  a  formula  while  no  normal-form  is  retiuired. 

Our  d(*<lucti\('  system  also  enjoys  the  following  two  advantages.  First,  given  a  specification  to  be 
verified  ihe  i)o.s.sible  rules  or  axioms  to  be  applied  are  solely  determined  by  the  toj)  lev«'I  op<‘iiitoi  of 
the  .sj)ecificati<tn.  Mon-over,  in  m<»st  case.s,  the  next  2>o.s.sil>le  rule  to  lx-  ai)j)]ied  is  uiii(2ue]y  defineil. 
This  proi)erty  of  the  deduction  sy.stern  is  very  helpful  when  embedding  the  system  in  an  automated 
theorem  prover.  Second,  all  niles  in  our  system  rerluce  the  task  of  verifying  a  temi>oral  i)roi)erty 
into  subgoals  that  either  re<iuire  inoving  the  validity  of  as.sertional  formulas  or  the  verification  of 
simi)ler  temporal  proirerties.  In  other  woixls,  none  of  the  generated  subgoals  retjuire  jrroving  viilidity 
of  temporal  formulas. 

Next  we  de.scribe  our  work  in  some  more  <letails.  The  deduction  system  i>roves  validity  of  v.orn.cf- 
ne.su  fonrndas  of  the  form  "P  Sat.  p  —*  /’’,  where  P  is  a  inogram,  p  is  a  laecondition  given  in  some 
asserintnal  huiguage  ruid  /  is  a  fair  CTL  fonrnda.  A  lU’ogTrun  is  defined  as  a  .set  of  transitions. 
l)rogTani  stej)  is  exectited  by  choosing  noudet.ennini.stically,  in  a  we.nkly  fair  manner  [7],  an  enaliled 
transition  for  execution.  The  weak  fairness  guaiiuitees  that,  every  <-onstfmtly  enable<l  transifion  is 
eventUfilly  cho.sen  for  execution.  Formulas  of  fair  CTL  are  interiueted  over  a  node  in  a  comi)utaiion 
tree  of  a  program.  Every  teirriroral  operat(»r  <'onsists  of  a  jrath  (juantifier  together  with  one  mod.il 
oix-rafor.  A  i)ath  (luantifier  is  either  .4  for  “all  fair  path.s’'  or  E  for  "there  exists  a  fair  j)alli  “.  .A 
modal  oix-rator  is  either  X  f<»r  ‘■next-.state”,  G  for  "ghtbally”  or  U,  for  "until''.  A  c(»rrectness  foiimda 
"P  Sat.  p  — »  /'’  is  valid  iff  for  every  computation  tree  of  P,  the  root  node  .sati.sfies  p  — *  /,  wln-te  — 
denotes  implication  (defined  as  usual). 

Of  si>ecial  interest  is  the  rule  for  verifying  the  formrtla  P  Sat  p  —*  EGf\ .  This  fornrula  .sirecifies  i  lie 
existi-nce  of  a  fair  infinite  iratli  in  the  comjnitation  tree  of  P  along  which  f\  is  continirously  satisfied. 
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W'V  prove  tlint  an  infinite  path  is  fair  hy  showinjj  that  it  consists  of  infinitely  many  finite  fair  inten  als. 
A  fair  interval  is  an  interval  along;  whi<h  every  transition  is  either  disabled  or  executed.  To  establish 
that,  we  introduce  a  i)roof  tool  for  identifying  the  end  points  of  fair  intervals  and  in  addition  we 
fonnulate  an  inductive  argument  that  implies  infinitely  many  ocj.nnences  of  .su(‘h  end  jjoints  along  the 
path  (s«‘e  page  6). 

The  rest  of  the  paper  is  organi/e<l  as  follows.  In  Section  2  the  computation  model  is  lueseuted. 
Section  3  defines  fair  CTL  and  coiTe<rtne.ss  fonnulas.  Section  4  presents  the  deduction  .system  and 
an  example  is  given  in  Section  5.  In  Section  6  we  compare  our  deduction  system  with  CTL  model 
checking  and  di.sini.ss  other  verification  a]>])roach. 

2  The  computation  model 

The  imxlel  of  computation  wi*  consider  is  a  fair  tmnsUum  systrm  in  which  each  transition  r  is  a  binary 
relation  over  a  set  of  stat<*s  E.  a\  ray  i.s  u.se<l  to  denote  that  (^7|,<72)  €  T.  We  .say  that  a  tran.sition  r 
is  timblcd  in  a  state  fj  if  there  exists  a  state  rr'  such  that  ara' .  Otherwise,  r  is  disnhlad.  We  denote 
by  E/>(r)  the  set  «»f  all  states  in  which  r  i.s  enabled.  A  proijrarn  P  over  a  set  of  .states  E  is  a  set 
of  transitions  over  E.  We  assume  the  existein  e  of  a  du7iimy  t.ran.sition,  r*,  which  is  enabled  exa«  tly 
when  all  other  transitions  are  disabled  an<l  which  leaves  the  progiam  state  unchanged.  The  dummy 
transition  ensures  that  all  corniaitations  of  the  i>rogiam  are  infinite. 

Next  we  formally  define  the  meaning  of  a  progiam  as  a  .set  of  marked  trees.  A  nodr.  tf  is  a  finite 
.se<iuen<  e  over  the  uattiral  ntimbers.  A  trrr  T  is  a  set  of  nodes  clo.sed  under  the  prefix  ojjeration.  A 
node  II  is  an  imimdiatr  HncarsHor  of  a  node  ^  if  there  exists  a  natural  luunber  n  such  that  ^  t»  =  //.  The 
root  of  a  tree  is  the  empty  seciueiu  e.  An  rdye.  e.  is  a  pair  <»f  nodes  (^,t/)  such  that  r/  is  an  iinmediate 
sncce.s.sor  of  A  path  x  from  a  node  r/  is  an  infinite  .secjuence  ipin...  such  that  rp  =  r/  and  for  ;ill 
i.  >  0,  //j+i  is  an  iinme<liate  successor  of  ip.  A  rnnrkrd  tir.r  is  a  triple  <  T,  Mny  M,.  >,  where  T  is  a  tree, 
Mn  is  a  function  that  maps  every  lutde  of  T  to  a  state  in  E.  If  Mni't)  =  ■'i  then  we  .say  tliat  //  i.s  maihd 
by  .1.  Mf,  is  a  function  that  maps  every  edge  in  T  to  a  transition  of  P.  A  maiked  tree  <  T,  .V„.  Mf  > 
i.s  a  computation  tree  of  P  iff  the  .set  <»f  imme<liate  .succe.s.sors  of  every  node  ip  in  T  is  marke<l  exa(  tly 
by  the  .set  of  all  states  that  aie  reachable  from  Mn{>l\)  via  the  exe«utiou  of  a  .single  tuuisition  of  P. 
More  fonnally,  for  every  luxle  rp  in  T  and  for  eveiy  .state  .s  in  E  and  for  every  transition  r  of  P: 

€  T 

iff 

3^/2  "a  immediate  successor  of  ip  :  Mnl'li)  =  ^  Mf{ipy  iti)  =  ’’’ 

Finally,  the  meaniny  of  a  inogram  P  is  the  .set  of  all  <  <)mputation  trees  of  P. 

A  tran.sition  r  i.s  enahled  in  a  node  7  in  a  »  «nnputation  tree  <  T,  Mn,  >  iff  r  is  enahhsl  in 

Mn('t)-  T  i«  executed  along  a  j)ath  x  =  ipifi--  -  <>f  the  <<»mi)utation  tree  iff  there  exists  /  >  0  su<  h  that 
Mfiip,  f/i+1 )  =  r.  A  path  tt  =s  71 ,  f/2  . . .  in  a  i-ominitathm  tree  of  P  is  fair  iff  for  every  transition  t  ef 
P,  if  T  i.s  <'ontinttou.sly  enabled  bom  .some  point  along  x  then  r  is  infinitely  often  executed  along 
Note  that,  eveiy  finite  prefix  of  a  path  can  be  extended  to  a  fair  path  and  that  every  path  with  an 
infinite  stiflix  of  r*  exectitions  is  fair. 
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3  Fair  CTL  and  correctness  formulas 


Assume  uii  asseitioiial  UiugiiHge  L  whose  fonnulas  aie  iiitei-jnetwl  over  E.  ’  A  fair  CTL  formula  is 
either  a  formula  from  L  or,  -i/i,  /i  A/j,  A-Y/i,  EXf\,  AGf\,  EGf\,  aji<l  E-lfyUfi],  where 

/i  and  are  fair  CTL  fonnulas.  Fair  CTL  fonnulas  are  int.ei-j)rete<l  over  a  no<Ie  in  a  marked  fn-e. 
Given  a  node  f/,  a  imuke<l  tree  MT  an<l  a  fair  CTL  fonnula  /,  the  satisfa<  tion  relation  MT,  // 1=  /  is 
defined  hy  iuduotiou  «»u  the  structure  <if  the  fonnula.  Intuitively,  an  as.sertion  p  in  L  is  satisfied  at  a 
node  ri  iff  the  state  that  marks  7,  that  is  Mn(ii),  .sati.sfies p.  ->/  anti  /i  A/2  are  definetl  as  u.sual.  .4A'/i 
{EX  )  is  satisfied  at  /;  iff  every  (at  least  one)  imrnetliate  stu  (  es.sor  of  //  satisfies  /) .  AGf]  ( EGf\ ) 
is  satisfieil  at  r/  iff  every  node  in  eveiy  (at  least  tme)  fair  path  from  t/  satisfies  /).  Finally,  A[f\Uf  >] 
{E[f^Uf2])  is  sati.sfietl  at  //  iff  eveiy  (at  least  one)  fair  path  from  //  satisfy  until  i.e.,  theie  exists 
a  notle  //  along  the  path  that  .satisfies  and  eveiy  notle  fr(»m  ij  tt*  rf  satisfies  /i .  The  .set  of  opeiattirs 
presented  alxwe  is  not  minimal,  for  e.xample,  the  operators  AG  and  EG  can  be  expre.s.ses  in  teniis  of 
Al-i  fUid  EG,  resi)ectively.  We  choo.se  to  introdtice  a  wider  set  than  nece.s.saiy  in  order  to  simplify  the 
presentation  of  the  pr<»of  ndes. 

.4  fair  CTL  aynrchi.t'.ss  fonnula  c<msists  of  three  <-omponents;  a  precondition  p  in  L,  a  program  P 
and  a  fair  CTL  fonmda  /,  and  is  of  the  foim  "P  Snt  p  — *  f".  A  fiamtda  "P  Sat.  p  —  f"  is  interpreted 
over  th<‘  root  node  of  a  computation  free  of  P.  A  fair  CTL  correctne.ss  formida  is  vnlul,  to  be  denoted 
^  P  5e/  — •  /,  iff  for  every  computation  tirs*  of  P  the  root  node  satisfies  p  — ►  /. 

.An  n.ssfirliniuil  r.onr.ctnuss  fonnula  consists  also  of  three  components:  p  and  ty  in  L  and  a  set  of 
fransitiiins  F,  and  is  of  the  fmm  "{ytirity}'’.  A  fonnula  "{yt}r{fy}''  is  interpreted  (»ver  a  isiir  of  states 
{(T\,(7i)  such  that  there  exists  r  €  F  for  which  <T)  r«72  holds.  An  assertional  conectne.ss  fornuda  is 
mlid,  to  be  denotetl  )=  {p}r{ty},  iff  for  eveiy  tnuisition  t  in  F  anti  every  jtair  of  states  (tT).<7..)  snth 
that  ayTO-i  holds:  if  fT\  )=  p  than  02  [=  ty. 

4  The  deduction  system 

In  this  .sectitin  we  present  our  deductive  .system.  Proof  ndes  of  .special  interest  aie  exphiined  in  details 
anti  their  staintlness  is  mtitivatetl.  The  ct»mpletene.ss  jjrttof  is  j)t)stpt)netl  tt>  Api>entlix  A. 

4.1  The  rules 

Tt*  verify  a  .spet:ificatit*n  t*f  the  ftirm  P  Sat.  p  — ►  AXf\,  we  retnure  that  every  transititm  tif  the  progi.nn 
P  that  starts  in  a  state  satisfying  p  re.stdts  in  a  state  .satisfying  an  a.ssertit»n  ty.  .Anti  inttreon  r.  if  P' 
tlent»tes  the  i)rtigraiii  left  tt*  be  executtsl  after  the  executit*n  t*f  a  single  .stej*  t*f  P  then  every  mol  node 
t*f  a  t  t*mputatit*n  tree  t*f  P'  that  satisfies  ty  shtmltl  akst*  satisfy  /*.  Since  a  prttgirun  in  t*\u  motlel  Ii.is 
a  single  t  t*ntrt*l  pt>int  the  prt*giam  left  tt*  be  executetl  after  perft*ntung  a  single  stei*  ttf  the  pmgi.nn. 
is  the  pmgram  itself.  Thereft*re,  wt*  get: 

P  Sat  ty  — *  /| _ 


P  Sat.  p  -*  AXfy 

'  WV  assiitfw  /#  is  expressittle  ••(loiigli  l<*  rortriHlize  all  the  sets  oT  sl.al.e.H  re)|iiire<l  Tor  l.li«*  relative  coin  (del  eiie.s>  nl  .mi. 
system.  As  is  kiu*wri  [19], [14],  I,  slioiilil  at  lea.st  inrliide  llie  |»re<li<;ate  ealc.iiliis,  interpreted  syinlxils  Tor  expre>NM.n  il  .' 
stanilaril  optn-ations  ainl  relatiofis  <*ver  inU^gers  anti  Kie  fixe<l-(«iinl  fi(»erat<*rs  /i.  and  e. 
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T(»  verify  h  specification  of  the  fona  P  Snt  p  —*  EX /},  we  re<piire  that  there  exists  a  traiisitiou  r  in 
P  such  that  T  is  eual>le<l  in  all  states  satisfying  p  an<l  its  execution  results  in  a  state  satisfying  an 
suss<'rtion  <j.  And  moreover,  evei-v  root  node  of  a  computation  tree  of  P  that  satisfies  also  satisfies 
/i: 

Thf.rr.  Kxints  Tip-*  Enij)  and  {/>}7’{ry} 

P  Snt  q  — >  /i _ 


P  Sat.  EX 

To  verify  the  negations  of  the  aluive  two  specifications  we  relay  on  the  following  fair  CTL  v»di<lifies: 


Thus  we  get: 


^AA7,  --  EX^f^ 
^EXh  ^  AA'-/, 

P  Sat  p  — ►  EX  -'/i 


P  Snt  p  —  -lAA' /i 

and 

P  Sat  p  — »  AX-'f} 


P  StU  p  — *  ~>EXf\ 


4.2  The  wn/»7-rules 

Next  we  present  conditions  for  verifying  P  Sat  p  — *  .A[I]Ul2],  where  ly  and  I2  are  in  L.  Let  a  prefix 
of  a  path  iji  which  all  nodes  satisfy  -1/2  he  <  alle<l  l2-avoiding.  We  have  to  verify  that  all  /2-av(ii(ling 
prefixes  that  start  in  roots  satisfying  p  are  finite  an<l  that  /i  is  continuously  satisfied  along  these 
prefixes.  The  following  verification  c<»nditions  establish  a  well-founded  induction  on  the  lenglli  of 
the  /2-avoi<ling  prefixes.  The  induction  hypothe.sis  a.s.sumes  that  all  nodes  along  /2-avoi(ling  prefixes 
satisfy  some  state  juedi<ate  $  an<l  that  a  ranking  fiinctiou  fi  is  defined  for  all  states  that  mark  tlicse 
iKxles,  where  mai)s  states  int<»  a  well-founded,  partially  <mlered  set  (W,  <).  Moreover,  the  indiu  tiou 
hypothesis  a.ssumes  that  the  ranks  defined  by  6  ahing  an  /2-avoiding  prefix  never  increase.  In  ilie 
induction  basis  we  deal  with  the  case  of  /2-avoi<ling  prefixes  of  length  zero.  We  retjuire  that  cm  iv 
state  that  .satisfies  also  .satisfies  either  I2  or  it  .satisfies  $  and  iS  is  defined  for  that  state  (denoted  by 
f'  e  VV): 

AU\.  yt-*  (/2  V(4>  A(^  e  W))) 

In  the  induction  step  we  retjuire  that  every  transition  of  the  program  that  starts  in  a  state  saii.sfv  iug 
^  and  for  which  a  rank  a;  is  definetl  by  re.sult.s  in  a  state  that  either  satisfies  I2  or  it  satisfie,-.  'h  .md 
it  is  mappetl  by  6  to  a  raaik  lower  or  etpial  to  in: 

AU2.  {$  A  (<S  =  w)}P{l2  V  ($  A  (/i  <  w))} 

We  add  the  re<iuirement  that  every  state  that  satisfies  $  also  satisfies  [\ : 

AUZ.  «I»  ^  /i 

Conditions  .4f/l-.4f/3  giiatruitee  that  every  path  in  a  comiuitation  tree  of  P  frtim  a  root  .sati>l\mg  y» 
.satisfies  T\  as  long  as  I2  is  imt  .satisfies.  To  «*nsure  that  I2  will  eventtially  be  satisfi<*<l  we  relay  nu  the 


I 


fairness  of  tlie  conipntatioii  iiKxlel,  the  \vell-fouii<le<luess  of  W  and  the  axlditional  re<iniieinent  that 
fov  every  state  that  satisfies  $  A  (^  =  u;)  there  exists  an  enabled  transition  of  the  inograin  whose 
exenition  results  in  a  state  that  either  satisfies  or  satisfies  $  and  for  which  a  lower  rank  than  w  is 
defined  by  S:  j 

AL'4.  For  Kve.rtj  w  €  W  thfiir.  r.xists  t  £  P  : 

(1)  {^A{6^  u!))-^En{T) 

(2)  A  (<5  =  f/;)}r{/2  V  ($  A  (<?  <  ?r))} 

The  fairness  of  the  coiniintation  model  implies  that  a  transition  that  causes  the  rank  to  d<*crease  will 
eventnally  be  executed  mid  tin*  well-fonn<lness  of  W  gnarantees  that  oiJy  finitely  many  times  the  rank 
can  decrease  and  therefore  a  node  satisfying  h  must  be  readied.  Tims,  we  get: 


.4L' 1  -  .4f/4 


P  Sat  p^A[hUh] 
■whtir.  /i ,  /j  €  L 


A  siiecifiiation  P  Sat  p  — *  E[I\Ul2],  where  hyh^  L,  is  verified  by  the  above  verification  conditions 
.4D’'l,  .4f/3  and  ,4L'4.  Condition  .4L*2  is  ornitteil  in  oriler  to  relax  the  set  of  verification  conditions  .snch 
that  they  only  imply  the  existence  of  a  fair  path  with  a  finite  prefix  t/nt/i  •  •  •  t/j  snch  that  S(Mniiia))  > 
))>■■■>  'It  satisfies  I2  and  eveiy  other  node  along  this  prefix  satisfies  /] : 


.4f/l,.4f/3,.4t/4 


P  Sat  p  — ►  EllyUh] 
whe.ir.  /i ,  /2  €  L 


To  verify  a  spei  ifii  ation  of  the  fonn  .4[/if//2],  where  either  f^  or  fz  is  not  in  L,  we  decompose  the 
\erification  ta.sk  into  three  snbta.sk.s.  One  re<inires  that  every  jiath  in  a  comjmtation  tree  of  P  that 
starts  in  a  node  satisfying  p  satisfies  until  I-i,  where  both  /i  and  I2  are  in  L.  The  other  two  reiiuire 
that  every  root  of  a  lotiiptitation  tree  of  P  that  .satisfies  I\  or  I2  also  .satisfies  /,  or  fi,  respecti\cl.\-: 

P  Sat  p  -*  AlliUh] 

P  Sat  /,  ^  /, 

P  Sat  I2  -*  /a _ 

P  Sat  p^AlfyUf 2] 
iiihfirt;  f\  ^  L  or  /2  ^  L. 

Again  the  soundness  of  this  rule  relies  on  the  fact  that  a  program  has  a  single  control  point  mid  the 
progiam  left  to  be  executed  after  perfonning  one  or  more  .steps,  is  the  program  itself. 

To  verifv  a  spei  ifii  ation  of  the  fonn  P  Sat  p  — »  -<A[f\Uf2]  we  relay  on  the  following  fair  CTL  valid 
foniinia: 

^A[f^Uf2]  -  (EG-^f2  V  E[(-s/2)f/(-v/i  A  -/2)]) 
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Tlixis  \v«^  get: 


P  Sat  p  EG—> /2 

or 

P  Sat  p  E[{-^f2)UM^  A  i/z)] 

P  Sat 

Th  verify  h  specificntioii  of  tlie  fonn  P  Sat  p  —*  ->E[f}U /z]  we  observe  that  there  does  not  exist 
a  fair  iwith  that  satisfies  /i  until  /j  iff  either  A  ->/2  holds  at  the  root  or  there  exists  an  assertion 
/  that  holds  in  every  node  of  every  path  fr<»rtt  the  root  imtil  -i/i  A  ->/2  holds  and  in  addition  I  must 
imply  ->/2-  Thus  we  get: 

P  Sat  p  (-1/,  A  -1/2) 
or 

p-^  I 

P  Sat  /  -*  ^/2  A  V  (^/,  A  /2)) 

P  Sat  p  ^  -^E[f,Ufi] 

4.3  The  7/0/jrt/- rules 

Next  we  ])r«'sent  <<)nditions  for  verifying  P  Sat  p  — »  EGf\.  To  prove  that  a  path  is  fair  we  exploit  the 
following  observation,  t>iken  from  the  completeness  ju-oof  for  the  wealc  fair  tennination  ride  in  [10]:  a 
path  X  in  a  <  (iiiijaitation  tree  <tf  P  is  fair  iff  for  every  transition  Tj  of  F,  either  Tj  is  infinitely  often 
disabled  or  Tj  is  infinitely  often  exe<:nte<l  along  x.  Note  that,  along  every  jjatli  the  dummy  transition 
r*  is  either  disabled  or  continuously  exe<ijte<l  from  some  point  on.  Thus,  we  can  relax  the  above 
condition  iuid  conclude  that  a  path  x  is  fair  iff  for  every  non-dummy  transition  t,-,  i.e.,  Ti  is  not  ecpial 
to  r*,  either  r,  is  infinitely  often  disabled  or  r,-  is  infinitely  often  e.xecuted  along  x.  This  imidies  that 
X  can  be  partitioned  int<»  infinitely  many  disjoint  interwaJs  of  finite  length,  each  of  which  contains  for 
every  non-dummy  transition  r,-,  either  a  state  in  rvliicli  Xj  is  disabled  or  a  stej)  in  wliich  r,-  is  execnfed. 
We  call  such  tui  internal  fair.  Thus,  a  path  is  fair  iff  it  can  be  partitioned  into  infinitely  many  finite 
fair  intervals. 

.\  proof  t«>ol  for  identifying  the  end  points  of  fair  internals,  is  introduced  next.  Let  F  be  a  program 
with  ni  non-dummy  t.ran.sitions  and  let  ili.s  :  E  {0,1}’"  be  a  function  that  maps  a  state 

f7  to  a  biinuy  vector  of  length  rri  .su<h  that  dis{(T){^j)  =  0  iff  the  transition  tj  is  disabled  in  a.  Let 
0(1)  stands  for  a  vector  of  rn  /.eros  (ones).  And  for  a  natural  number  j  let  j  be  a  vector  of  ones 
ex<  ei>t  that  if  1  <  ^  <  rn  then  the  7-th  element  in  this  vector  is  /.ero.  Let  A  be  the  point  wise  logi<Ml 
conjunction  of  binary  vectors.  For  example,  let  in  =  .3  and  ilis  =  101,  the  value  of  the  expression 
1  A3  Adt.s,  that  is  111  A  110  A  101,  is  e<pial  to  100.  We  nse  a  function  y  from  the  luograni  states  to 
{0,1}'"  and  re<iuire  the  following  proof  obligations  that  eirsure  that  y  =  5  indicates  the  end  of  a  fair 
intervvil.  The  condition 

EG\.  p-.(y€  {0,1}’") 

re<inires  that  initially  y  is  defined.  The  condition 

EG2.  For  r.vr.ry  Tj  £  P  :  {y  =  0}rj{f/  =  (j  A  dis)} 

re<iuires  that  the  fii-st  step  tal<en  after  the  end  of  a  fair  intei-val  restdts  in  a  state  in  which  the  l  aliie  of 
y  is  reset,  that  is,  y  =  (»f?i,-  ••i  tt'm)  W'here  Wi  =  0  iff  Tj  is  disabled  at  the  cunent  state  or  Ti  has  just 
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heeu  exwiited  mul  uu  =  1,  othei  wise.  The  (-ouiUtioii 


EG3.  For  KVKry  Tj  G  P  and  mwiij  w  €  {0, 1}”*  :  {y  =  7?J  A  iv  ^  0}rj{y  =  («;  A  J  A  dis)} 

re(iuires  tliut.  (j  assigns  «;,•  =  0  to  states  within  a  fair  iiiter\~al  iff  r,-  has  either  been  executed  or  has 
been  disalded  in  that  fair  interval. 

Introducing  the  above  method  for  identifying  the  end  points  of  fair  intervals,  we  still  have  to  prove 
that  there  exists  a  path  along  which  infinitely  <»fteii  an  end  of  a  fair  intei-val  is  encountered: 

EG4.  /-£/  =  0 

EG5.  P  Sat  p  E[f^U{I  A  /, )] 

EG6.  P  Sat  I  —  EXE[f^U{I  A  )] 

The  condition  EG4  sets  the  connection  between  the  sati.sfacrtiori  of  /  and  the  end  points  of  fair  infen  als. 
Conditions  EGb  and  EGG  en.snre  that  there  exists  a  path  in  which  I  holds  infinitely  often  and  iiioreovei 
/]  continnonsly  holds  along  that  jiath.  Thus  we  get: 

EG\  ~  EGG 
P  Sat  p  — *  EGf^ 

To  verify  the  other  global  specifications  we  relay  on  the  following  fair  CTL  validities, 

AGf^  *-*■  -iE[truf; 

-lEGf^  A[trm  U->f^] 

-<AGf^  *-*  E[triif:  U-<f^] 

which  iiindy: 

P  Sot  p  — *  -'E[triin  U-<f\]  P  Sot  p  -*  .4[tnt«  U->f^]  P  Sat  p  — »  E[trii.n  U-<f}] 

P  Sat  p  — *  AGf}  P  Sat  p  ~tEGf\  P  Sat  p  — »  -i.4G 

The  entire  clednctive  .system  is  i)re.sente<l  in  Figure  1. 

5  Example 

Consider  the  .simple  prograiri, 

P  ::  T,  :  .r  :=,/:  + 1 

0 

7-2  :  !/  :=  5 

D 

which  has  three  transitions.  'I^ansition  Ti  increases  the  vahie  <»f  x  by  1  and  is  enabled  whenever  the 
value  of  X  is  smaller  than  10.  Transition  sets  y  to  5  and  is  enabled  whenever  the  value  of  ./  is 
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if  X  <10 
if  5  <  X  Ay  =  0 


bigger  than  5  and  the  value  y  is  e<iual  to  0.  Transition  is  the  duiainy  transition.  Next  we  verify 
the  coneetness  formula: 


P  Sat  j:  =  0  A  y  =  0  —*  EG{x  <  10  — *  //  =  0) 


This  spec  ification  implies  that  tlu'ie  exi.sts  a  fair  eouiputation  of  P  in  which  the  execution  of  the 
second  tiiuisition  is  i>o.stponed  until  the  finst  one  is  not  enabled  any  more.  Let 


0  = 


[ 


00 

01 


t/  0  <  a;  <  5  V  y  0 
t/  a;  >  .5  A  y  =  0 


We  prove  that  the  premises  EG\  —  EG6  hold: 

•  EGl.  According  to  the  definition  ofy,  a:  =  0Ay  =  0— »f/  =  00  holds. 

•  EG2.  According  to  the  definition  of  y  if  y  =  00  then  0  <  a;  <  5  V  y  ^  0  holds.  Therefore, 
transition  rj  is  either  not  enabled  or  its  execution  results  in  a  .state  in  which  y  =  Oc-,  where 
c  =  1  if  a;  >  5  A  y  =  0  and  c  =  0  otherwise.  Accor<ling  to  the  definition  <»f  rZi.v,  the  value  of 
the  expres.sion  01  A  din  is  Od,  where  d  =  1  if  a;  >  5  A  y  =  0  and  d  =  0  otherwise.  Tlius,  in  the 
resulting  state  y  =  (01  A  din)  and  we  couchnle  that 


{y  =  00}r|  {y  =  (01  A  din)} 


holds.  Tiansition  T2  is  not  enabled  in  a  state  sati.sfying  0  <  :i:  <  5  V  y  51^  0.  Therefore 

{y  =  00}r2{y  =  (10  A  din)} 


holds.  For  Iran.sitiou  r* 

{y  =  00}r;;' {y  =  (11  A  din)} 

holds  since  either  is  not  enabled  or  it  is  enabled  and  in  both  starting  and  resulting  states 
d/.s  =  00  an<l  y  =  00. 

•  EG3.  According  to  the  definition  of  y,  y  =  ti;  A  iJ7  76  0  imidies  that  y  =  01  and  tints  the 
cone.sponding  .stalling  state  .satisfies  a;  >  5  A  y  =  0.  Transition  t-\  is  either  not  enabled  or  its 
exeditioii  residts  in  a  .state  satisfies  a;  >  5  A  y  =  0.  Therefore  according  to  the  definition  of  y  in 
the  resulting  state  y  =  01  hohls.  The  value  of  the  expre.ssion  01  A  01  A  din  is  etjual  t<t  01  situ  <■ 
72  is  enabled  in  the  resulting  state  and  thus 

{'/  =  01}r,{y  =  (0lA0lAdt.v)} 

holds.  The  execution  of  72  from  a  state  .satisfying  x  >  5  A  y  =  0  re.sidts  in  a  state  satisf\iiig 
./■  >  5  Ay  ^  0  and  therefore  y  =  00  in  the  re.sulting  state.  The  val\ie  of  the  e.\pre.s.sion  01  A  10  A  din 
is  «*<iual  to  00  ainl  thus 

{y  =  01}72{y  =  (01  A  10  A  din)} 

holds.  The  transition  7^  is  not  enable<l  in  a  state  satisfying  x  >  5  A  y  =  0  and  tlnnefore 

{'/  =  0lK{y  =  (01  All  Adw)} 


holds. 
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•  EGA.  Let  /  =  (0  <  a;  <  5  A  y  =  0)  V  (x  >  10  A  y  ^  0).  According  to  the  definition  of  tj  we  get; 

/  -  £/  =  00 


•  EGf).  Next  we  itrove  tltat 

P  Snt.  ./;  =  0  A  y  =  0  — *  E[{:i:  <  10  — ►  jf  =  Q)U{^I  A  (.v;  <  10  — *  y  =  0))] 

Using  fust  order  itianipidHtion  the  assertion  (/A(a;  <  10  —►  »/  =  0))  can  we  rewritten  as  (0  <  ./•  < 
5  A  y  =  0)  V  (j/  7^  0  A  a;  >  10).  Let  $  =  0  <  a;  <  10  A  y  =  0  and  W  =  {//  //c, x  {0..10}  witli 
lexicogTaidiical  order  where  <  false., 0  >  is  the  minimal  element.  V\’e  define  S  =<  y  =  0. 10  —  ./  >. 

—  .4L'l.  ;i;  =  0  A  y  =  0  — ►  $  A  ((5  €  W). 

—  .4L-3.  0  <  a;  <  10  A  y  =  0  —  (x  <  10  y  =  0). 

—  .4L'4.  For  S  =<  true.,  (I  >,  where  1  <  d  <  10  we  get 

(1)  $  A  <5  =<  true.,d  >  Al  <  d  <  10  — *  En{Ty ) 

(2)  A  <5  =<  t.rue,d  >  A1  <  d  <  10}ri  A  /^  =<  true,d  —  1  >} 

For  6  =<  triie,0  >,  we  get 

(1)  $  A  ^  =<  true,0  >—*  En(T2) 

(2)  {$  A  =<  t.rne.,0  >}7'2{y  7^  0  A  a;  >  10  A  ^  =<  false, 0  >} 

For  6  =<  false,  d  >,  the  assertion  ^  AS  =<  false, d  >  is  false  and  therefore  hoth  nsjnire- 

ments  (1)  and  (2)  hold  for  any  trajisition. 

•  EGG.  Next  we  itrove  that 

(*)  P  Sat  I  EXE[{x  <  10  ^  y  =  0)U{I  A  (a;  <  10  -  y  =  0))] 

Recall  that  /  =  (0  <  x  <  .5  A  y  =  0)  V  {.a;  >  10  A  y  ^  0)  therefore  (*)  holds  iff 

(1)  P  Sat  0  <.'/;<  5  A  y  =  0  EXE[{x  <  10  y  =  0)fY(/  A  (.a;  <  10  ^  y  =  0))] 
holds  and 

(2)  P  Sat  a;  >  10  A  y  7^  0  ^  C.YE[(.a;  <  10  -  y  =  0)L4{I  A  (.a;  <  10  ^  y  =  0))] 

holds. 

To  prove  (1)  we  apidy  the  nrat-rule  for  proving  EX  and  get  the  following  suhgoals: 

(1.1)  0  <  a;  <  5  Ay  =  0-»a.  <  10 

(1.2)  {0<x<5Ay  =  0}r)  {0  <  a;  <  6  A  y  =  0} 

(1.3)  P  Sat  0  <  a;  <  6  A  y  =  0  ^  E((x  <  10  -  y  =  0)fY(/  A  (.a;  <  10  ^  y  =  0) )] 

It  is  easy  to  see  that  (1.1)  aiwl  (1.2)  h<»hl  ainl  (1.3)  is  i>roved  using  $  and  S  just  as  in  EGo. 

To  prove  (2)  we  aj/idy  the  nde  for  jiroving  EX  and  get  the  following  suhgoals: 

(2.1)  X  >  10  A  y  0  =>  Eii{t^),  wheir.  Erifr^)  =  a;  >  10  A  y  7^  0 

(2.2)  {;a;>  lOAy  7^0}r;{a;>  lOAyj^O} 

(2.3)  P  Sat  a;  >  10  A  y  7^  0  ^  E((a;  <  10  ^  y  =  0)ff(/  A  (.a:  <  10  ^  y  =  0))] 

It  is  easy  to  .see  that  (2.1)  and  (2.2)  h<»ld  and  (2.3)  is  easily  i»roved  using  ‘h  =  f(d.se  and  .oi> 
We  can  <  hoose  $  ami  S  as  such  since  the  precondition  implies  the  second  aigunient  of  tlie  tiniil 
.specification,  that  is,  ;i;  >  10  A  y  ^  0  — »  /  A  (a;  <  10  — ♦  y  =  0). 
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6  Discussion 


CTL  model  checking  [4]  is  h  verificntion  algovitliin  that  given  a  program  described  as  a  finite-state 
tiiuisition  graph,  a  state  in  the  program,  and  a  foi-mtila  in  propositional  CTL,  detennines  whether  or 
not  the  < omjaitation  tree  of  the  program,  starting  at  this  state,  satisfies  the  formtda.  It  is  interesting 
to  noti(  e  the  similarity  and  difference  between  the  iinxlel  <he(  king  approach  and  oms. 

Roth  m<‘tho<ls  me  similm’  in  that,  the  verifi<ation  of  a  formnla  depends  on  the  verification  of  its 
snliformnlas.  Moreover,  they  are  both  syntitx  <lire<ted,  i.e.,  the  nde  (or  i)ro<edme)  aj)j)lied  in  the 
verifl<afion  <»f  a  fonnnia  is  deteniiined  by  the  fonimla's  toj)  level  o])erator. 

One  of  the  <lifferences  between  the  methods  stems  from  the  fa(  t  that  while  [l]  s<ilves  a  re(  ntsive 
j)i(iblem,  we  suggests  a  method  for  a  non-re«  ursive  <tne.  As  a  result,  model  (  hecking  suggests  no  ^l)e(  ial 
rules  for  negate<l  fonimlas.  To  determine  whether  or  not  a  fonnula  -'•t  is  true  in  a  Niate  they  (he<k 
<!>  at  this  .state  mitl  complement  the  re.sult.  Dealing  with  a  non-rec ursive  jaoblem.  our  tiiethod  <  atniot 
expec  t,  in  geneiid,  to  gc't  a  negative  misw«*r.  Thus  diicct  ruh's  to  liandle  negation  as  the  tup  le\el 
olierator  are  introdticc'd. 

In  [  l],  a  more  gcuunal  notioti  of  fairness  is  considerecl.  Therefote,  handling  fairness  leijuiies  a 
preliiiiiiiaiy  siej),  that  marks  all  stale  from  which  a  fair  computation  starts  (  thc-y  all  saiisf\-  some' 
pro[)cisitiou  Q).  To  c  liec  k  now  that  is  Inic*  in  a  slate-,  thc-y  c  hc-c  k  that  /r[/i//(/,>  A  i  i- 

irue  ill  iliat  state.  In  this  case,  our  method  is  simplc*r.  Since-  from  c-\'c-ry  state  tliere  is  a  fait  weak 
comimiatiou  stalling  at  this  .state-,  we-  c  mi  verify  E[f\Uji\  as  if  no  fairuc-ss  is  couc  eniecl. 

The-  ca.sc-  of  AU  is  solvc-d  in  [4]  by  using  EU  and  EG.  Their  luoc  c-durc-  for  EG  lic-avily  depi-iids 
on  the*  finiteness  of  the  program  description,  and  involves  graph  manipulations.  Clearly,  a  siiml.ii 
mc'tliod  i.s-  not  applicalde  to  our  case.  To  com  hide,  both  methods  me  similar  in  the*  way  the\  '  i!;e 
advantage  of  the  stnicture  of  CTL  fonnulas.  As  expected,  they  divc-rge  signific  antly  in  the  w.i\  tia  v 
c*xploit  propc-rties  of  the  progrmn  de.scription. 

Othc-r  vc-rification  approach  that  cmi  hmidle  general  liveness  propc-rtic-s  wc-re  iniroducc-d  in  tin- 
automata  fhc-oretic  frmiiework.  In  [1),[2],[13]  as.sertionaJ  verification  conditions  arc-  juc-.sc-ntc-d  foi  \eii- 
fving  propc-rtic-s  which  me  .spec  ifiecl  by  finite-state  automata.  Tho.se  rc-sults  an-  extendc-d  in  [20]  t.i .!.  .tl 
with  jncijic-rtic-s  spc-cific-d  by  rc-cursive  ^'-automata.  In  contrast,  wc-  .specify  juoiic-rtic-s  in  a  rc-laii\>  l\ 
intuitive-  auci  high  lc-vc-1  tc-mpoifd  language  and  no  automata  is  constructed. 
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A  Relative  completeness 

T<i  [WdVi'  flu^  <  <»tiipleff*n«^s  of  <»ur  <l«*«hi<  tiv«*  systfin  w'o  fiiisf  jwow  flint  fliMH  is  no  riii  ulmity 

ill  the  system.  Tlmt  is,  we  prove  flint  every  premise  of  eveiy  pile  ran  he  verifieil  hy  applying;  less  proof 
Pill'S  than  rispiireil  for  the  verifiration  of  the  goal  of  the  pile.  To  ilo  so.  we  iiitroiliK-e  a  mapping  (i 
that  maps  eveiy  fair  CTL  fonniila  to  a  natural  niimher.  Then,  we  show  that  for  every  rule  of  tho  fopu 

P  Snt  in  *1 
P  Sat  i>n  -> 

P  Sat  * 

the  relation  £i($i)  <  ii{^)  liolils  for  eveiy  1  <  t  <  ni. 

The  fuiirtioii  p  is: 

•  \{  f  £  L  then  p(/)  =  1, 

•  if  /  =  /i  A  /i  then  p(/)  =  p(/i )  +  iift), 

•  if  /  =  EA'/i  or  /  =  AXf^  then  p(/)  =  p(/i )  +  1, 

•  if  /  =  A[f^Uh]  or  /  =  E[fU4h]  then  p(/)  =  2  x  M  )  +  tfih)), 

•  if  /  =  EG/)  then  (t{f)  =  4  X  £i(/i )  +  4, 

•  if  /  =  AGf,  then  p(/)  =  (2  X  (iif/i  ))'^  +  4)^ 

•  if  /  =  -«/i  then  «(/)  =  (p(/t  )f. 

Here  we  ilemoiistrate  the  ahoNV  for  only  one  pile: 

P  Sat  p  — ♦  .4[trttg  14 -if}] 

P  Sat  --<EGfy 

Arcoriliiig  to  the  clefiiiition  of  p  we  get: 

£i(.4[«r«e  U^fy\)  =  2  X  (1  +  (£i(/i )?) 

and 

£i(-EC;/i)  =  (4x£i(/i)  +  4)*. 

It  is  easy  to  see  that  if{-<EG/%)  >  p(.4|  Ini*;  U->f}]). 

Siiiie  there  is  no  circularity  in  the  sy.Htein  the  relative  completeness  of  the  system  can  he  pioveil 
hy  sepmately  proving  the  relative  completeness  of  eveiy  proof  Pile.  We  hring  here  some  of  the  nioie 
interesting  proofs. 

•  The  assertion  rule: 


P  Sat  p  1/ 
For  q  €  L 
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Assmiu*  P  Sat  p  -*  ip  Thus  f<»r  ewiy  rtnnputatioii  tree  «»f  P  if  the  i()(»t  ii<Kle  satisfies  p  then  it 
siitisfies  tj  as  well.  Siii<  e  every  state  in  the  state  .space  can  seiwe  as  a  root  node  for  a  coinpiitation 
tree  of  P  we  <ran  ccnu'lude  ^  p  — *  y. 

•  The  .4.Y  rule: 

P  Sat  q  — *  /j 


P  Sat  p  AX /, 

As.s^une  }=  P  Sat  p  — » ,4A'  f\ .  Thus  for  every  computation  tree  of  P  if  the  root  node  q  satisfies 
p  then  every  imme<liate  successiir  of  q  satisfies  f\ .  Let  q  he  art  asser-tion  that  holds  exactly  at 
all  irnme<Uat.e  successors  <»f  ro<it  nodes  that  satisfy  p.  The  program  left  to  he  executed  after  the 
exe<iiti<»n  <»f  any  transiti<in  fiotn  P  is  P  ihself,  therefore,  ^  P  Sat  q  —*  f\.  Vhaeover,  for  every 
r  e  P  and  everv  pair  (»f  .states  strcli  that  Oyrai  holds:  if  a\  p  then  <7-2  |=  q,  that  is. 


•  The  -1.4  A'  rule: 


P  5«i!  EX^f^ 


P  Sat  -n.4A7i 

The  relative  cotnpleteness  <tf  this  nile  is  a  conse«|uence  of  the  validity  of  the  fair  CTL  fonnula: 

EX-'f}  *-*  -'AX  f) 

First  <lire<'ti<in,  the  fonnula  EX-ifx  hohls  at  a  node  q  in  a  marked  tree  MT  iff  there  exists 
an  inime<liate  stns  essor  rp  <»f  q  such  that,  qx  does  not  satisfy  /1.  Therefore  not  all  immediate 
su<<ess<n's  «if  q  satisfy’  /i,  that  is  MT,q  ^  ->AXfx.  The  second  direction  is  al.so  easy,  omitte<l 
here. 

•  The  -<.4^/  rule: 

P  Sat  p  — »  EG—>f2 
or 

P  Sat  p  -»  E[{->f2)l^-'fx  A  -./z)] 

P  Sat  -.4[/,W/2] 

Again,  the  relative  completeness  of  tliis  rule  is  a  c:«)n.seiiuence  of  the  vali<lity  of  the  fair  CTf. 
fonnula: 

(EG-/2)  V  (E[(-/2)W(-/,  a  -/2)))  ^  ^A[fxUf2] 

Fil-st  dire(*tion,  the  fonnula  {EG->f2)  V  {E[{->f2)U{-<fx  A  -i/z)])  hohls  at  a  node  q  in  a  mjuke»l 
free  MT  iff  either  there  exists  a  fair  path  fr«»m  q  in  which  ->/2  continucnisly  holds  cu’  there  exists 
a  fair  i»atli  from  q  such  that  -1/2  holds  in  an  initial  prefix  of  that  path  until  ->fx  A  -1/2  holds. 
Thus,  we  can  conclude  that  there  exists  a  fair  path  from  q  in  which  fxUf2  <h)e.s  not  hold,  that 
is,  MT,q  ^  ~'A[fxL4f2\.  U.sing  similar-  c-onsideration  the  .sec:oncl  direction  cmi  also  he  proved. 

•  The  EG  rule: 

EG\  -  EG6 


P  Sat  p  — *  EG  fx 
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Assume  ^  P  Sat  p  —*  EG/} .  Thus  fur  every  eoinputatiou  tree  of  P  if  the  root  uo<le  satisfies  p 
then  there  exists  a  fair  i)ath  that  coutiiiuously  satisfy  /i .  We  translate  P  into  another  proj'ram 
P  by  axhliiig  to  P  an  histoi'y  (auxiliary)  variable  }i.  Initially,  the  value  of  h  is  the  emi)ty  se<iuen<  e 
f.  Every  transition  Tj  in  P  is  translate<l  into 

Tj  II  h  :=h  o  (T  o  j 

That  is,  the  state  at  whidi  Tj  is  exe<nte<l  (i.e.,  (t)  and  the  index  nmnber  of  tj  (i.e.,  j)  are 
concatenated  to  h. 

Let  T  be  the  set  of  all  cornputatum  trees  of  P'  such  that  their  root  node  is  marked  by  a  state 
satisfying  pAh  =  f. 

For  every  state  a  that  marks  a  n<»<le  in  a  tree  in  T  we  define  the  value  of  the  function  y  as 
follows: 

-  The  states  that  mark  ro<it  nodes  are  iitappe<l  by  y  to  the  vector  1. 

-  If  a  no<le  //  is  marked  by  <7  and  £/(<7)  =  liJ,  where  «7  7^  0,  then  every  state  (t'  that  marks  an 

immediate  successor  //  of  y  is  mappe<I  by  <j  to  w  Aj  Adix,  where  j  is  s.t.  )  =  Tj 

an<l  (Its  is  evaluated  at  the  state  Mniy)- 

-  If  a  node  y  is  marke<l  by  (t  ainl  y(<T)  =  0  then  every  state  (t'  that  marks  an  immediate 
success<»r  r/  of  y  is  maj>])e<l  by  y  to  j  Adis,  where  j  is  s.t.  Mf,{ri,  ri  )  =  Tj  and  dis  is 
eVfJuated  at  the  state  Mn{v  )• 

The  above  partial  fmiction  y  is  w'ell-<lefrrte<l  since  every  two  states  that  mark  nodes  in  T  (of 
either  <liffererrt  trees  or  of  the  .sanre  tree)  are  <lifferent  .since  h  has  different  values. 

We  <lefirie  I  to  be  the  set  of  all  states  that,  y  maps  to  0.  Next  we  prove  that  the  premises 

EG\  —  EGG  hold  for  the  above  y  arnl  /  and  the  precoinlition  pAh  =  f. 

-  EGl.  Every  state  that  .sati.sfies  pAli  =  f  marks  a  root  node  of  one  of  the  trees  in  T  and 
every  such  state  is  also  mapped  by  y  to  1,  therefore 

|=pA/*  =  f-(y€{0,ir) 

-  EG2.  Acc(»rding  to  the  definithm  of  y: 

For  r.vr.nj  Tj  €  P  :  {</  =  ==  U  ^ 

-  EG3.  Again  according  t<»  the  definition  of  y: 

For  r.vury  Tj  €  P'  and  r.ve.iTj  «;  €  {0, 1}'"  :  {y  =  ii;  A7?J  76  =  (fa  Aj  A  rb.s)) 

-  EG4.  Immediate  front  the  d<?finitiou  of  I  we  get 

-  EG5  —  EG6.  Assunting  the  relative  completeness  of  the  other  rules  it  is  sufficient  to  pmve 
that  f;ouditious  EG5  —  EG6  are  semantically  trnie.  By  the  initial  as.smni>tion  we  kiu»w  th.ii 
in  every  coiirinitation  tree  of  P  that  starts  in  a  .state  satisfying  pAh  =  f  there  exists  a  fair 
jrath  that  continuously  satisfy  .  According  to  the  definition  of  I  and  y  and  the  obsei  \  .»i  ion 
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that  every  fair  path  (.mi  be  <livi<le<l  iiit<»  iiifiiiity  many  fair  iiiten'als  we  can  (;on<-lii<le  that  I 
holds  infinitely  many  times  in  that  fair  path.  Therefore, 

^PSatp-^E[fMlAf,)] 

and 

1=  P  StU  I  EXE[fMI  A  /i )]. 

•  The  baisic-.4W  rule: 

AUl  -  AU4 _ 

P  Sitt  p  -*  A[I}Ul2] 

whe.ru  /|,  /2  €  L 

.4s.snme  f=  P  Sat  p  —*  A\I\UIt^.  Given  a  <r<»mpntation  tree  MT'  =<  >  of  P  that 

.stai'ts  in  a  root  luxle  r/n  satisfying  p  (i.e.,  M^(fin)  ^  p)  we  know  that  every  fair  path  from 
//o  satisfies  I\Ul2.  To  prove  the  relative  eomj)letene.ss  of  the  rnle  we  have  to  find  an  assertion 
a  well-founded,  partially  ordered  set  (W,  <)  and  a  partied  ranking  function  .such  that  the 
premi.ses  .4D*1.  —  .46*4.  hold. 

We  start  by  truncating  MT'  into  a  .smaller  tree  MT  =<  >  in  the  following  way. 

Every  fair  path  from  the  root  is  tnmcaterl  e-vax.-tly  after  the  first  node  that  .satisfies  I2. 

.4ccovdiug  to  the  assumi)tiou  (=  P  Sat  p  —*  A[I\Ul2]  we  know  that  MT  has  either  infinite  tmfair 
paths  or  finite  jiaths  in  whi<h  all  intennediate  ntxles  satisfy  I)  and  the  leaf  uwles  (nodes  that 
liave  no  sticce.ssois)  satisfy  /j.  Ne.vt  we  <-onstnx  t  another  marked  tree  that  will  have  only  finite 
paths.  First  we  nee<l  .some  definitions. 

A  path  S’  is  T~avoiding  if  and  only  if  r  is  enabletl  at  every  inxle  in  s’  and  iixueover  r  is  not 
exetnited  along  A  CONErifl)  is  the  .set  of  all  nodes  in  MT  residing  on  infinite  r-avoiding 
paths  star’ting  froiir  the  ruxle  f/.  r  is  called  the  CONEV  ditective,.  A  path  tt  in  MT  is  le.iiriiiij 
a  CONEriji)  at  a  ruxle  ip  if  ip  is  in  n  arul  ip  also  belongs  to  CONErUi)  and  the  node  wlii<h 
immediately  follows  ip  in  tr  does  not  belong  to  CONEr{tl)- 

Next  we  inductively  define  the  coiustrirction  of  another  marked  tree,  to  be  deiurted  MT*  =< 
T* ,  M*,  >.  The  function  AfJJ  mai>s  each  ruxle  of  T*  to  a  sid)set  of  T  aiul  the  function 

inai>s  eiu  h  e<lge  of  T*  to  a  transition  of  P. 

At  the  base  step  we  define  the  value  of  Af*  for  the  r(x)t  of  the  new  tree  MT*.  In  the  indu<  lion 
step  we  asstuire  that  the  subtree  of  MT*  <»f  rlepth  11  is  already  built.  We  define  for  each  h^af 
of  depth  «  the  set  of  its  iiiriirediate  .successors  , . . .  ,^jt  in  T*.  We  also  define  for  each  stn  <  <'ssoi 
of  4  the  value  of  M*{^j)  aiul  the  value  of 

To  define  the  base  and  the  ituhrctuui  step  we  need  a  function  RT  :  T*  —*  T  whi<h  rfja[).s  ea<  h 
node  in  T*  to  a  node  in  T.  This  function  is  also  defined  inductively.  Let  r/n  and  ^0  deiuife  the 
roots  of  MT  aiul  MT*,  respectively. 

Base  Step:  If  there  exists  in  MT  a  r-avoi«ling  path  starting  from  the  rtxtt  t/n  for  stum*  r  ^  P 
then  A/,^(^(i)  =  CONErOfi)).  Else,  Mni^o)  =  {^/n}.  In  both  cases  we  define  RT{^n)  =  t/n. 

‘'Ill  llie  iioilejt  of  M'l'  are  (leriol.eil  liy  the  MytnlH>l!t  _ or  >/  anil  l.lin  ni>ile!i  ol'  Af7‘*  am  iIimkiIiiI  In  iIm> 

ayinliola  (  . 
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Induction  Step:  L«^t  4  >*■  <»f  «  hi«1  l<*t  JfT(^)  =  ft-  VV’e  add  iminediafe  successors 

to  4  according  to  the  foUowiuK  clauses: 

-  If  MniO  =  CONEriii)  then  for  every  juith  n  in  MT  leaving  CONEt{ii)  we  add  lo  ^  an 

imiueiliate  successor  in  MT*  an<l  we  define  BT{^\ )  =  »  wdiere  a/i  is  the  first  node  in  rr 

after  tt  leaves  CONEriff)  and  =  Mf{fl  ,v),  where  t/  is  the  predecessor  of  //  in  n-. 

-  If  A/*(^)  =  {r/}  where  f/  is  not  a  leaf  in  MT  we  a/ld  for  every  immediate  successor  //i  of  r/ 

an  imme<liate  successor  t<»  VVe  define  )  =  r/i  and  )  =  A/,(r/,  f/i ). 

-  If  A/^(0  =  {'/}  "’here  r/  is  a  leaf  in  MT  then  ^  is  a  leaf  in  MT*  and  flT{^)  =  q. 

Next,  we  define  A/*  f(*r  all  nodes  ad<le<l  in  step  n  +  1  of  the  induction.  Let  ^  he  sin  h  a  node. 
Two  cases: 

-  If  there  is  no  r-avoiding  path  starting  from  BTiJi)  in  MT  for  anv  t  £  P  then  = 

{RTU)}- 

-  Other'wise,  c<»nsider  the  set  .S  of  all  transitions,  t,  for  wliich  there  is  an  infinite  r-avoiding 
path  starting  fi-om  RT(^)  in  MT.  Let  r%  he  the  trarcsition  chosen  least  re<  ently,  po.ssihle 

not  at  all,  as  a  CONE'S  dirwtive  along  the  serpience  Af*(^o),  A'/^(^i ) . ),  where 

^0^1  . .  .^n-1^  is  the  path  fixun  the  txKit.  t<i  ^  in  MT*.  We  defirre  A/*(0  =  C0NEr,{RT{^)). 
In  the  case  there  ai-e  more  than  one  such  transitions  in  S  the  trartsition  with  the  smallest 
in<lex  (assume  all  traiusitions  in  P  are  indexed)  is  clr(»seti. 

Lemma  A.l: 

-  F<»r  every  node  ^  in  MT*,  RTiO  €  A/* (4). 

-  For  every  two  males  and  ^2  h*  MT*,  Af^(^i )  H  A/*($2)  =  H- 

-  MT*  <-overs  MT,  i.e.,  every  node  of  MT  belongs  to  some  A/*(^),  where  ^  is  a  male  of  MT* . 
Proof: 

-  Ac<'or<ling  to  the  definition  of  MT*,  Mn{^)  is  either  {7?T’(^)}  or  C0NEt,(RT{^))  in  hotli 
<  ases  RTiO  6  M*{^). 

-  According  to  the  <lefinition  of  MT*,  at  every  .step  of  the  induction  A/*(4)  c<nitjuns  males 

of  T  that  ai'e  not  included  in  any  previously  defined  M*[^').  Moreover,  if  ami  ^2  are 
added  to  MT*  in  the  same  induction  step  then  and  I?T(^2)  »‘'t  reside  on  a 

common  path  in  T.  Therefore  according  to  the  definition  of  A/*  ami  the  tree  stnu  ture  of 

T,M;;(^,)nM*(42)  =  0. 

-  According  to  the  definition  of  MT*,  the  ixa>t  of  MT*  cover's  the  root  of  MT  and  in  the 
iialuction  stej),  given  a  raale  all  immetliate  successors  in  T  of  males  in  A/*(^)  are  < overed. 


Lemma  A.2:  The  tree  MT*  is  well-fomide<l,  i.e.,  contains  finite  paths  otdy. 
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Proof:  Assume  there  exists  an  iiiHiiite  path  a-*  =  ...  in  MT*.  Acconlinj^  t«»  the  (Icfiuition 

of  the  hinction  RT  the  nodes  /iT(4o),fW’(^i),...  are  nodes  in  MT.  Moreover,  a<<-ordiiig  t<»  the 
definition  of  MT*  there  exi.sts  a  itath  jt  =  f/n//i ...  in  MT  sueh  tliat  for  every  i  >  0,  i?T(4,+i) 
i)elongs  to  ?r  an<l  it  appears  in  tr  after,  htit  luit.  neee.s.sarily  immediately  after,  /?T(^,  ).  Sin<  e  tlie 
seijuence  i?T(^o),  ),...  is  infinite,  tr  is  aJ.so  infinite  and  thus,  unfair. 

Therefore,  there  are  several  (at  lease  one)  transitions  such  that  from  some  jxtint  on  in  a  are 
continuously  enabled  but  are  never  .selecterl  for  exerrution.  Let  t  be  such  a  transition  with  the 
.smalle.st  index  and  let  Xi  =  ...  be  a  suffix  of  x  which  is  r-avoiding  juul  which  starts 

from  ItT(^i). 

Two  pos.sibilities; 

—  T  is  not  selecterl  as  a  COAf^s  <lire<-t.ive  along  A/’(^n),  )  •  -  ■ .  )  tlien  a<  <  (iidiiig 

to  the  definition  (»f  MT*,  =  CONEr{RTi^i)). 

-  r  is  selecterl  as  a  CONE'S  <lire<-tive  along  )  ■  ■  ■ ,  )  then  a«  <'ording  tti 

the  definition  of  MT*  there  exists  j  >  i  such  that  r  is  least  recently  .seler  ted  as  a  CONEs 
direr  tive  along  A/*(^o),  ) . . . ,  )  »u»d  thas  A/*(^j)  =  CONEr(RT(^j)). 

Let  k  deiKite  i  if  the  first  case  hohls  and  j  otherwise.  In  both  cases,  the  infinite  tail  of  x  which 
is  r-avoi<ling  is  contained  in  CONEr{ftT{^if)).  Therefore,  all  the  nodes  RT{^t,+} ),  /?T(^i.+2), . . . 
are  contained  in  a  contradictnm  t<»  Lemma  D.l.  □ 

Basecl  on  the  propei'ties  <tf  MT*  proved  in  Lemmas  D.l  ainl  D.2  we  next  «-ontinue  the  .4/y-inh‘ 
completeness  proof.  Doth  trees  MT  an<l  MT*  are  con.strtictwl  for  a  specific  initial  state  (7,i 
that  satisfies  p,  i.e.,  the  root  node  of  MT  is  mapped  by  A/„  to  an.  In  order  to  get  rid  of  tlie 
depetidency  of  the  trees  on  an  we  combine  all  trees  MT  .such  tliat  their  root  node  is  inajipi-cl 
to  a  .state  satisfying  p  into  an  infinitaiy  tree  MT  =<  T,  Mn.TT,  >.  .4  new  root  is  ad<h‘d  and 
its  iirninsliate  succes.soi-s  are  all  the  trees  MT  s.t.  A/„(»/n)  )=  p.  Similaiity  we  (oinbine  all  .MT' 
trees  into  lui  itifinitaiy  well-fottnded  tree  MT*  =<  T*,  A/,J,  A/,*  >. 


Next,  the  nodes  of  MT*  are  riuiked  by  countable  ordinals.  .411  leaves  are  rankc'd  with  ((.  iui 
inteninsliate  node  is  ranked  with  the  .succes.sor  of  the  least  uiiper  bound  of  the  ranks  of  its 
immediate  .succes.sors.  In  order  to  rank  nodes  with  a  nnicpie  rank  a  aink-.shift.  is  perfonned.  Lot 
p(^)  denote  the  rank  definetl  f<n'  node  ^  by  the  above  imicedtire. 

Let  Q  be  the  set  of  all  nodes  in  MT  that  reside  on  finite  paths  and  are  nor  leaves  neither  ih<- 
root  of  MT.  We  define  9  to  be  the  as.sertiou  satisfied  by  exactly  all  states  that  mark  the  nodes 
in  Q,  that  is: 

$  =  {cT|3f/ :  <7  =  A/„(f/)  A  f/  €  Q} 

We  define  the  ranking  function  fi  to  be: 

A(ct)  =  h;  iff  3D:  D^ii^DC’F^{^£D<^a£  'K(M*(^)))  A  »•  =  (J  p(0) 


Next  we  show  that  the  premises  AU\.  —  AUA.  hold  for  $  and  A  above. 
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-4L'l.  Accoi'diug  t<i  tilt?  <'<iiistnu-tioii  of  MT  all  stat»*s  that  satisfy  p  inaik  at  least  one  node 
ill  Jif.  Moreover,  eveiy  state  that  satisfy  ]>  either  inaik  a  lunle  in  Q  (thus  it  satisfies  ‘^) 
or  a  leaf  of  MT  (recall  that  every  leaf  //  in  MT  satisfies  TT^{ii)  ^  /j)  therefore 

//  — *  $  V  /2 

Moreover,  MT*  covers  MT  and  therefore  the  ranking  function  f>  is  liefineil  for  every  state 
that  inai'k  a  node  in  MT.  In  iiaiticular,  all  states  in  />  inaik  nodes  in  MT  and  thus 

|=/>-(/i€W) 

AU2.  R'oin  every  state  <t  that,  satisfies  i  awl  S{fT)  =  «;  the  exeiiition  of  any  transition  from 
/>  leads  to  a  state  that  inaik  either  a  leaf  of  77T  and  therefore  I2  is  satisfied  or  it  leails  to  a 
state  that  iiiaik  an  internal  node  (not  a  leaf)  //  of  MT.  Siiu  e  eveiy  finite  luefix  of  a  path 
can  he  extended  to  a  fair  jiath  &  Q  ainl  therefore  Mn(ft)  N  Thius, 

A  (^  =  ii;)}P{/2  V  $} 

Moreover,  according  to  the  definition  of  MT*  if  (t  marks  ^  in  T*  then  any  transition  of  P 
leads  to  a  state  that  either  iiiaik  ^  ‘»i'  niaik  an  immediate  suci  essor  of  ^  anil  therefore 

A  <  »')} 

.■iU3.  Aci'ording  t<i  the  <<instniction  of  MT  and  tlie  definition  of  Q  all  nodes  in  Q  are 
maiked  hy  states  satisfying  I\  therefore 


.4L’4.  Given  w  €  VV  if  there  <loes  not  exist  a  state  <7  such  that  <7  |=  $  and  =  ir  then 
^  $  A  (^  =  11;)  ^  false,  and  therefore  both  conditions  in  AU4.  hold  vacuously. 

In  there  exista  a  state  <7  siuli  that  a  |=  $  anil  ^(17)  =  11;  then  3^  €  MT*  such  that  o(^)  =  <r 
and  <7  €  A/n(A/*(^)).  Coiisiiler  two  cases: 

Case  1:  =  CONBr{ItT{0). 

Accoriliiig  to  the  ilefiiution  of  CONBt,  t  is  enalded  in  all  .states  <7*  sudi  that 
<T  €  'M^{CONBr{Rr{^))  therefore  17  )=  En^r)  and  we  conclude 

^  A  (^  =  «;))  — »  En{T) 

According  to  the  definition  of  CONB^  every  r-move  leaves  CONEj.{RT(^))  and  tlierefoie  a 
r-inove  reai  hes  an  iiiiineiliate  .successor  ^  ^  in  MT* .  Since  the  nodes  in  MT*  are  i  anke<l 

leaves  up  we  know’  )  <  (>{^).  Thus, 

$  A  (^  =  <  "’} 

Moreover,  if  the  r-move  reai  hes  a  leaf  of  ~MT  then  the  restdting  state  .sati.sfies  I2  ollierw  i.sc 
it  .satisfies  Thus, 

A  (i^  =  tr)}r{l2  V 

Case  2:  1^(0  =  BTii). 
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III  this  l  ase,  a  =  'KI^{Rr{^)).  a  ^  4  implies  that  3r/  :  <7  =  TT^{ii)  A  i/  €  Q  tlieiefoie  ;/  hikI 
IiT{^)  aie  riMits  t.<»  identical  subtrees  <*f  MT  and  thus  IiT{^)  6  Q.  Thus,  RT(^)  is  n<it  a 
leaf  iu  MT  and  there  exists  r  siwh  that  <t  ^  Eti{T)  and  we  conchule 


^  (4  A  (rf  =  w))  -*  Eti{t) 

Moreover,  the  r-rnove  reaches  an  immeiliate  successor  of  ^  iu  MT*  and  we  know  (){^' )  < 

uiO- 


A  (^  =  »c)}r{^  <  I/;} 


If  the  T-rnove  reaches  a  leaf  of  MT  then  the  resulting  state  satisfies  I2  otherwise  it  satisfies 
Thus, 

{$  A(/5  =  ic)}7-{/2  V$} 


P  Sat  p  —•  q 
For  q  ^  f. 


P  fSai  p 
For  q  €  f- 


P  Sat  p->  f\ 
P  Sat  p~>  f  j 


P  Sat  Pi  -»  / 
P  Sat  pt  — ►  / 


P  Sat  p  -•  (/i  A  fi)  P  Sat  (pi  Vp-j)  -.  / 


P  Sat  q  —  ft 


P  Sat  p  -(/i  A  f-i) 


P  Sat  p  — ♦  FX~*ft 


P  Sat  p  — *  -<A  X ft 


P  Sat  p  —  EX  ft 


P  Sat  p  — •  ■ 


P  Sal  p  A[ftUfj] 
whr.rr.,  ft  i  I-  or  fj  g 

«*«***«****«««**«*•*»* 

Ain  -  AU4 


P  Sat  p  —  A[ltl4h] 
whr.ro,  It  ,l'j  €  f-. 


P  5af  p  —  EO -fj 
or 

P  Sat  p  — » 


P  Salp-*-A[ftUh] 


P  Sat  It  -  ft 

P  Sat  h  -  f-i 

PSatp—E[hUh\ 

P  Sat  p  -» (-•ft  A  ^f-j) 
or 

p  t 

P  Sat  1  —  -^fj  A  AX{1  V  (-/,  A -f.,)) 

PSatp^  E[ftUh] 
wherr.,  ft  i  1.  or  f-i  i 

Ain,  Alls,  AU4 

P  .Sat  p-^-^E[ftUf  j] 

P.Satp-r  ElTtUh] 

whorr..  It ,  f-j  €  t.. 

P  Sat  p  -♦  -'Eltrur.  U-’ft 


P  Sat  p  — •  Ad  ft 


P  Sat  p  — »  FM.rnr.  U-<ft 


P  Sal  p  — *  “'/4fV ft 


F,ai.  -  KdfS. 


P  Sat  p  -*  Ed  ft 


P  Sat 


P  Sat  p  —  ^Edft 


FigiirK  1:  Tin*  ^^Inctiou  system 


